Your SlideShare is downloading. ×
Business Continuity Management for  Critical Outsourced Vendors Rohit Verma 25 Apr 11
Outsourcing trend <ul><li>Business, Technology and Support functions:  </li></ul><ul><li>Banking Services  </li></ul><ul><...
Outsourcing risks   <ul><li>Loss of control </li></ul><ul><li>Viability of service providers </li></ul><ul><li>Service qua...
Outsourcing Stakeholders YOU  (Client  BCM) Customers Legal Dept Business RM MIS to Mgmt Outsourced  Vendors Sourcing Dept...
Key Success Factors <ul><li>Perform a detailed DDR before outsourcing. </li></ul><ul><li>Ensure BCM coverage in the contra...
Third Party Suppliers/Vendors   <ul><li>Key BCM planning assumption - potential loss or unavailability of critical third p...
Aspects to consider during DDR   <ul><li>Strategic: </li></ul><ul><li>Discuss vendors’ contingency plans to assess how you...
Aspects to consider during DDR <ul><li>Operational: </li></ul><ul><li>Redundancy in service providers for telecommunicatio...
Typical BCM related SLA clauses   <ul><li>Vendor to ensure that its BCP contains: </li></ul><ul><ul><li>Agreed uptime serv...
Typical BCM related SLA clauses <ul><li>Vendor undertakes to update and test the plan atleast annually. </li></ul><ul><li>...
Vendor classification <ul><li>Not all vendors are equally critical.  </li></ul><ul><li>Perform a HML segmentation.  </li><...
Some Good Practices <ul><li>1 .  Obtain annual declaration from the vendors stating that Vendor has a BCP in place which –...
MIS for Vendor DDR                5               4               3               2 Yes 30 Dec 10 3 7 10 1 Jan 10 ABC Ltd ...
MIS for Vendor BCM Compliance                 5               4               3               2 10-Dec-10 30-Jun-10 2 Medi...
<ul><li>Q & A </li></ul>
Upcoming SlideShare
Loading in...5
×

BCM For Outsourced Vendors

1,537

Published on

Key BCM considerations when outsourcing critical operations.

Published in: Business, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,537
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "BCM For Outsourced Vendors"

  1. 1. Business Continuity Management for Critical Outsourced Vendors Rohit Verma 25 Apr 11
  2. 2. Outsourcing trend <ul><li>Business, Technology and Support functions: </li></ul><ul><li>Banking Services </li></ul><ul><li>Core business operations </li></ul><ul><li>Call Center/s </li></ul><ul><li>Market Data for financial services </li></ul><ul><li>Data Center Operations, Application Systems Maintenance </li></ul><ul><li>Third Party Claims Administration </li></ul><ul><li>Help Desk </li></ul><ul><li>Human Resources / Payroll </li></ul><ul><li>Training </li></ul><ul><li>Telecommunications </li></ul><ul><li>Facilities Maintenance </li></ul>
  3. 3. Outsourcing risks <ul><li>Loss of control </li></ul><ul><li>Viability of service providers </li></ul><ul><li>Service quality </li></ul><ul><li>Lack of expertise </li></ul><ul><li>Hidden and uncertain costs </li></ul><ul><li>Knowledge transfer </li></ul><ul><li>Restrictions on enhancements and customisation </li></ul><ul><li>Shared infrastructure environment </li></ul><ul><li>Legal and regulatory aspects </li></ul><ul><li>Business Continuity </li></ul><ul><li>All these risks can be managed. But the proficiency with which these risks must be managed cannot be achieved without consultative intervention from BCM Manager. </li></ul>
  4. 4. Outsourcing Stakeholders YOU (Client BCM) Customers Legal Dept Business RM MIS to Mgmt Outsourced Vendors Sourcing Dept Regulators Sub Contractors
  5. 5. Key Success Factors <ul><li>Perform a detailed DDR before outsourcing. </li></ul><ul><li>Ensure BCM coverage in the contracts. </li></ul><ul><ul><ul><li>Strong language that truly speaks of the business continuity efforts that would be required of a vendor during a disaster. </li></ul></ul></ul><ul><ul><ul><li>Anticipate potential failure of the vendor and include provisions for such an event. </li></ul></ul></ul><ul><ul><ul><li>Client to avail alternative facilities and resources or to move functions back in house. </li></ul></ul></ul><ul><li>Regularly assess vendors capability. </li></ul><ul><ul><ul><li>Need to be confident that critical vendors can actually recover within required time. </li></ul></ul></ul><ul><ul><ul><li>Periodic exercising. </li></ul></ul></ul><ul><li>Ensure that client and the vendor see things the same way. </li></ul><ul><ul><ul><li>Ensure dependencies have not changed. </li></ul></ul></ul><ul><ul><ul><li>At all times, safeguard customers from negative aspects of an event. </li></ul></ul></ul><ul><li>Be aware and review services further outsourced by the vendor. </li></ul>
  6. 6. Third Party Suppliers/Vendors <ul><li>Key BCM planning assumption - potential loss or unavailability of critical third party vendors/suppliers. </li></ul><ul><ul><li>Regulators are now looking more closely at 3rd party dependencies. </li></ul></ul><ul><li>What is the impact of partial / complete loss of these services ? </li></ul><ul><ul><li>SPOFs </li></ul></ul><ul><ul><li>Temporary loss of one or more services </li></ul></ul><ul><ul><li>Inconvenience with limited impact </li></ul></ul><ul><li>Assess alternative mechanisms to continue the affected operation: </li></ul><ul><ul><li>Manual / Interim procedures </li></ul></ul><ul><ul><li>Secondary provider </li></ul></ul><ul><ul><li>Vendor provided contingency solution </li></ul></ul>
  7. 7. Aspects to consider during DDR <ul><li>Strategic: </li></ul><ul><li>Discuss vendors’ contingency plans to assess how you would be supported in case of significant interruption. </li></ul><ul><li>Has the vendor build redundancy in its operations (e.g., split operations, data storage fail-over, high-availability networks)? </li></ul><ul><li>Are you a priority client for the vendor (how much business do you give)? </li></ul><ul><li>Will your service level be reduced so that vendor can support other clients also? </li></ul>
  8. 8. Aspects to consider during DDR <ul><li>Operational: </li></ul><ul><li>Redundancy in service providers for telecommunications, power, internet. </li></ul><ul><li>Safety / environmental controls in the office. </li></ul><ul><li>Physical security – perimeter, access controls, car parks. </li></ul><ul><li>Seismic rating / history. </li></ul><ul><li>Building safety - any fire risks in the building eg restaurants. </li></ul><ul><li>Modes of public transport available. </li></ul><ul><li>Nearest distance to fire station, hospital, police station. </li></ul><ul><li>Any political unrest, terrorist activities in the past in that area ? </li></ul>
  9. 9. Typical BCM related SLA clauses <ul><li>Vendor to ensure that its BCP contains: </li></ul><ul><ul><li>Agreed uptime service levels – RTO, RPO. </li></ul></ul><ul><ul><li>Details of its premises and alternate sites. </li></ul></ul><ul><ul><li>Arrangements for non availability of premises. </li></ul></ul><ul><ul><li>IT DR framework (fail over, fail back, Production-DR interchange mode). </li></ul></ul><ul><ul><li>Details of manual work arounds. </li></ul></ul><ul><ul><li>Process for client to review draft BCM Plan. </li></ul></ul><ul><ul><li>Procedure to invoke BCM - Crisis management. </li></ul></ul><ul><ul><li>Vendor to notify client immediately upon a potential event. </li></ul></ul><ul><ul><li>Details of further sub-contracting / 3rd party dependency. </li></ul></ul><ul><ul><li>BCM roles and responsibilities of client, vendor and sub-contractors. </li></ul></ul><ul><ul><li>Details of where and how copies of BCM Plan shall be stored. </li></ul></ul>
  10. 10. Typical BCM related SLA clauses <ul><li>Vendor undertakes to update and test the plan atleast annually. </li></ul><ul><li>Nominated BCM Representatives of client and vendor to meet and discuss the Plan atleast every 6 months. </li></ul><ul><li>Right to participate in vendors’ recovery exercises to confirm functionality. </li></ul><ul><li>Right to audit - inspect related documents. </li></ul><ul><li>Financial restitution in case of outage, (though may not be helpful during an incident) </li></ul><ul><li>Monthly MIS / Report of incidents – date, time, nature, duration, impact, action taken, action closure due date. </li></ul><ul><li>Dispensation process (only for non critical vendors). </li></ul>
  11. 11. Vendor classification <ul><li>Not all vendors are equally critical. </li></ul><ul><li>Perform a HML segmentation. </li></ul><ul><li>BCM efforts to be based on relative importance of each vendor. </li></ul><ul><li>Depending upon HML rating, the SLA clauses can vary. </li></ul><ul><li>Sourcing, Legal departments to finalise the vendor agreement only after BCM approval. </li></ul>
  12. 12. Some Good Practices <ul><li>1 . Obtain annual declaration from the vendors stating that Vendor has a BCP in place which – </li></ul><ul><li>Specifies roles and responsibilities associated with its BCM. </li></ul><ul><li>Addresses both internal and external plausible threats. </li></ul><ul><li>Contains IT DR Plan for critical processes. </li></ul><ul><li>Defines escalation process in case of any event. </li></ul><ul><li>2 . BCM training to Vendors - Make vendor management and key staff aware of your BCM Policy and Standards. </li></ul>
  13. 13. MIS for Vendor DDR               5               4               3               2 Yes 30 Dec 10 3 7 10 1 Jan 10 ABC Ltd 1 Annual Declaration received Closure Due Dates Number of Open / Overdue points Number of DDR points closed Total Number of BCM DDR points Go Live date Vendor Name Sr
  14. 14. MIS for Vendor BCM Compliance               5               4               3               2 10-Dec-10 30-Jun-10 2 Medium High ATM cash replenishment ABC Ltd 1 Last BCM test date Last signed off BCP date BCM Tier (1 - 5) BCM Risk (High, Medium, Low) Overall Risk Service provided Vendor Name Sr
  15. 15. <ul><li>Q & A </li></ul>

×